I see your point, but we have Java backends and strings there are not null terminated. Also I’m very sure that those would never be the reason for our Postgres server to run out of storage so I don’t get it why not make it more user friendly. We’re not implenting an embedded system where every byte of storage counts.

It can also be just a randomly chosen limit. I work as a software engineer on a custom management software for a big client. For whatever reason until recently, the limit for email addresses in the master data was 50 character. Why? No clue but someone had decided that randomly in the past. Now it was increased to 100. Why again? According to RFC 5321 a limit of 254 would be the most sensible one. But the people who come up with those requirements just don’t care. They decided it to be 100 from now on for no apparent reason.

Then we have many input fields, that have a limit of 255 character. Why not 256? Why such a weird number in general? The people who use this software in production are most likely not the ones who usually think in powers of two. So why not make it 250 or 300 oder whatever?

Sometimes those limits are just arbitrary with no technical or logical reason to back them up. Which doesn’t make it less stupid mind you.

That resonates so well with me. Attending all the meetings, discussing feature requests and evaluating their feasibility is so exhausting. But working overtime for a few days to find and fix the bug that completly halted production? No problem!

I never tried to win any argument. Hell I was not even aware that I’m participating in one. I just wanted to share the info, that even if the vendor is absolutely trustworthy and even if you validated the script by downloading and looking at it, there’s still another hole that’s not obvious to see.

Yes it’s unlikely, but again, I never said it were. There are also arguments you can run curl with, to tell it to do the download first and then push it through the pipe afterwards, though I don’t know them by heart now.

It won’t cost you anything to set those parameters, when you insist to use curl | bash, just in the off chance that someone’s trying to do what I mentioned.

But I’m also someone who usually validates their downloads with a checksum so maybe I’m just weird. Who knows.

Oh, you’re welcome, kind person :)

It is actually a passive detection based of the timing of the chunk requests. Because curl by default will only request new chunks when the buffer is freed by the shell executing the given commands. This then can be used to detect that someone is not merely downloading but simultaneously executing it. Here’s a writeup about it:

https://web.archive.org/web/20250209133823/https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

You can also find some proof-of-concept implementations online to try it out yourself.

You shouldn’t install software from someone you don’t trust anyway because even if the installation process is save, the software itself can do whatever it has permission to.

“So if you trust their software, why not their install script?” you might ask. Well, it is detectable on server side, if you download the script or pipe it into a shell. So even if the vendor it trustworthy, there could be a malicious middle man, that gives you the original and harmless script, when you download it, and serves you a malicious one when you pipe it into your shell.

And I think this is not obvious and very scary.

They dropped the Tidal integration and I’m still heartbroken. It was the best setup for music discovery. Haven’t found a replacement yet.